Vulnerabilities > CVE-2015-8474
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
HIGH Availability impact
NONE Summary
Open redirect vulnerability in the valid_back_url function in app/controllers/application_controller.rb in Redmine before 2.6.7, 3.0.x before 3.0.5, and 3.1.x before 3.1.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a crafted back_url parameter, as demonstrated by "@attacker.com," a different vulnerability than CVE-2014-1985.
Vulnerable Configurations
Nessus
NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_3EC2E0BC9ED711E58F5C002590263BF5.NASL description Redmine reports : Open Redirect vulnerability. last seen 2020-06-01 modified 2020-06-02 plugin id 87293 published 2015-12-10 reporter This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/87293 title FreeBSD : redmine -- open redirect vulnerability (3ec2e0bc-9ed7-11e5-8f5c-002590263bf5) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3529.NASL description Multiple vulnerabilities have been found in Redmine, a project management web application, which may result in information disclosure. last seen 2020-06-01 modified 2020-06-02 plugin id 90127 published 2016-03-24 reporter This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90127 title Debian DSA-3529-1 : redmine - security update